For security reason, you are recommended to restrict remote access to your network via SSH or Telnet by allowing a certain whitelist IP addresses in order to prevent brute-force attack. If you own a Cisco IOS XR, you are coming to the right place. Here, we provide you the best and recommended way to secure your Cisco IOS XR. There are two ways that we can do to accomplish this.
1. Using ACL (Not Preferred Method)
This is how to apply the access-class a-la IOS:
access-class ingress MYACL
The line template default needs to be associated with your VTY pool or SSH pool right like this:
vty-pool default 0 4 line-template default
And of course, Telnet daemon needs to run:
telnet vrf default ipv4 server max-servers 4
ipv4 access-list VTY-ACL
10 permit ipv4 10.0.0.0 0.0.0.255 any
20 deny ipv4 any any log
ipv6 access-list VTY-ACL
10 permit ipv6 2001:DB8::/32 any
20 deny ipv6 any any log
vty-pool default 0 10
access-class ingress VTY-ACL
The reason why this is not preferred is because all the traffic received for telnet is processed by the hardware on the LC and sent to the RP. Then goes through all the forwarding chain until Telnet verifies it against the ACL and says OK deny.
2. Using MPP (Recommended Method)
Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.
In below case, we enable only SSH for remote access and disabled Telnet which is consider as insecure protocol.
transport input ssh
allow SSH peer
address ipv4 126.96.36.199/24
address ipv4 192.168.100.254/32
address ipv6 1234:abcd::/32
Also, if you are having multiple VRFs configured on your system, using below command to enable SSH for specific VRF.
ssh server vrf TRANSIT
ssh server vrf MANAGEMENT
And that’s it!! Now you secure your Cisco XR from brute-force attack with the recommended way.